skills-managing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The 'INGEST' mode protocol (Section 2) instructs the agent to perform 'git clone {repo}' from user-provided or external sources. This enables the introduction of untrusted content into the agent's environment.- COMMAND_EXECUTION (MEDIUM): The skill utilizes filesystem commands such as 'mkdir -p' and 'write_to_file' to modify the local directory structure where skills are stored.- INDIRECT PROMPT INJECTION (HIGH): This skill defines an attack surface (Category 8) by facilitating the ingestion of external data (git repositories) into the agent's core instruction set (the '.agent/skills/' directory). * Evidence: Ingestion point is the 'git clone' command; no boundary markers are defined; capabilities include file system modification; sanitization steps are absent. This allows an attacker to provide a malicious repository that compromises the agent's behavior.
Recommendations
- AI detected serious security threats
Audit Metadata